dovecot-2.0: auth: Check for potentially dangerous NULs in usern...

[dovecot at dovecot.org]

details:   http://hg.dovecot.org/dovecot-2.0/rev/99f5dd282f48
changeset: 9789:99f5dd282f48
user:      Timo Sirainen <tss at iki.fi>
date:      Fri Aug 14 02:54:41 2009 -0400
description:
auth: Check for potentially dangerous NULs in usernames.

diffstat:

3 files changed, 29 insertions(+)
src/auth/mech-cram-md5.c   |    4 ++++
src/auth/mech-digest-md5.c |    2 ++
src/auth/mech-gssapi.c     |   23 +++++++++++++++++++++++

diffs (73 lines):

diff -r f0a45d8a7984 -r 99f5dd282f48 src/auth/mech-cram-md5.c
--- a/src/auth/mech-cram-md5.c	Thu Aug 13 20:45:55 2009 -0400
+++ b/src/auth/mech-cram-md5.c	Fri Aug 14 02:54:41 2009 -0400
@@ -85,6 +85,10 @@ static bool parse_cram_response(struct c
 	/* <username> SPACE <response>. Username may contain spaces, so assume
 	   the rightmost space is the response separator. */
 	for (i = space = 0; i < size; i++) {
+		if (data[i] == '\0') {
+			*error_r = "NULs in response";
+			return FALSE;
+		}
 		if (data[i] == ' ')
 			space = i;
 	}
diff -r f0a45d8a7984 -r 99f5dd282f48 src/auth/mech-digest-md5.c
--- a/src/auth/mech-digest-md5.c	Thu Aug 13 20:45:55 2009 -0400
+++ b/src/auth/mech-digest-md5.c	Fri Aug 14 02:54:41 2009 -0400
@@ -477,6 +477,8 @@ static bool parse_digest_response(struct
 		return FALSE;
 	}
 
+	/* treating response as NUL-terminated string also gets rid of all
+	   potential problems with NUL characters in strings. */
 	copy = t_strdup_noconst(t_strndup(data, size));
 	while (*copy != '\0') {
 		if (parse_next(&copy, &key, &value)) {
diff -r f0a45d8a7984 -r 99f5dd282f48 src/auth/mech-gssapi.c
--- a/src/auth/mech-gssapi.c	Thu Aug 13 20:45:55 2009 -0400
+++ b/src/auth/mech-gssapi.c	Fri Aug 14 02:54:41 2009 -0400
@@ -214,6 +214,18 @@ import_name(struct auth_request *request
 	return name;
 }
 
+static bool data_has_nuls(const void *data, unsigned int len)
+{
+	const unsigned char *c = data;
+	unsigned int i;
+
+	for (i = 0; i < len; i++) {
+		if (c[i] == '\0')
+			return TRUE;
+	}
+	return FALSE;
+}
+
 static int get_display_name(struct auth_request *auth_request, gss_name_t name,
 			    gss_OID *name_type_r, const char **display_name_r)
 {
@@ -225,6 +237,11 @@ static int get_display_name(struct auth_
 	if (major_status != GSS_S_COMPLETE) {
 		mech_gssapi_log_error(auth_request, major_status,
 				      GSS_C_GSS_CODE, "gss_display_name");
+		return -1;
+	}
+	if (data_has_nuls(buf.value, buf.length)) {
+		auth_request_log_info(auth_request, "gssapi",
+				      "authn_name has NULs");
 		return -1;
 	}
 	*display_name_r = t_strndup(buf.value, buf.length);
@@ -498,6 +515,12 @@ mech_gssapi_unwrap(struct gssapi_auth_re
 	name = (unsigned char *)outbuf.value + 4;
 	name_len = outbuf.length - 4;
 
+	if (data_has_nuls(name, name_len)) {
+		auth_request_log_info(auth_request, "gssapi",
+				      "authz_name has NULs");
+		return -1;
+	}
+
 	login_user = p_strndup(auth_request->pool, name, name_len);
 	request->authz_name = import_name(auth_request, name, name_len);
 	if (request->authz_name == GSS_C_NO_NAME) {